Osiris Labs
Osiris LabsMay 29, 20269 min Read

The Most Convincing Phishing Email in 2026 Might Be Completely Boring

Hero

Ask most people to picture a phishing email and they describe something loud. A frozen account. A prize. A threat of legal action if you do not click in the next twenty-four hours. A message that shouts. That picture is a decade out of date, and holding on to it is now a liability, because the emails most likely to cost an organisation money in 2026 do not shout at all. They are calm, ordinary and specific. They look like work.

The uncomfortable truth is that drama was always a symptom of weakness. An attacker leaned on urgency and fear because they had nothing better: no context, no relationship, no legitimate-looking way in. As attackers have gained all three, they have stopped needing the theatrics. The most dangerous message in the inbox is no longer the one that stands out. It is the one that blends in.

Why boring is the point

Every classic phishing red flag was really a proxy for something an attacker could not do well. Bad grammar signalled someone working outside their language. Wild urgency signalled someone who could not afford for you to stop and think. A stranger's address signalled a sender with no real relationship to you. Staff were trained to spot these tells, and for years the training worked because the tells were hard to remove.

They are not hard to remove any more. Fluent, on-brand writing is free, a point we cover in detail in why AI reached the scammers first. And the two techniques defining the current wave of email attacks go further than clean prose: they strip out urgency, strip out the unfamiliar sender, and strip out anything that would prompt a second look. What is left is a message with no surface for suspicion to catch on. Boring is not a side effect. It is the design goal.

Two everyday-looking techniques show how far this has gone.

The boring QR code

Quishing, phishing that hides the malicious link inside a QR code, is boring by construction. There is no misspelled link to hover over, because there is no visible link at all. The email often carries almost no text: a short note about a voicemail, a shared document, a multi-factor authentication reset, and a square to scan. Nothing to read means nothing to get wrong, and nothing for a suspicious eye to snag on.

It also quietly moves the victim off the defended device. A QR code is designed to be scanned with a phone, so the click that matters happens on a personal mobile that is often outside the organisation's security controls and away from the trained instinct to check a URL. The blandness of the email and the shift to mobile are the whole trick.

The numbers show how quickly attackers adopted it. QR-based phishing climbed from a negligible share of attacks a few years ago to a meaningful slice of all phishing in 2025, and the growth within the year was steep: Sublime Security's analysis of 2025 email threats recorded a 282.7% rise in QR-code phishing between the first and second halves of the year. A technique works at that scale precisely because it gives the recipient so little to react to.

The reply that belongs

The second technique is quieter still, and more effective. In thread hijacking, also called conversation hijacking, the attacker does not start a new conversation. They continue a real one. Using a compromised mailbox or a convincing lookalike domain, they reply inside an existing email thread, one that already contains genuine history, real names, a real subject line and a real reason to be talking. Then they steer it: new bank details for an invoice that was already being discussed, a link to review a document the recipient was already expecting.

Everything the recipient uses to judge trust points the right way. The subject is one they recognise. The conversation is one they were part of. The tone matches what came before, because the attacker can read the earlier messages and match them. There is no unfamiliar sender to question, because the sender appears to be someone already in the thread.

This is now the leading form of business email compromise, not a fringe tactic. Sublime's 2026 report found that thread hijacking and fake threads together make up 28.1% of all BEC attacks, overtaking traditional cold-email BEC for the first time. Barracuda has separately tracked conversation hijacking rising sharply in recent years. Attackers moved here because the hijacked thread removes the last obvious tell: the stranger.

Thread hijacking inherits the trust of a real conversation. Every classic red flag has already been removed before the recipient reads a word.

What these two have in common

Quishing and thread hijacking look different, but they attack the same thing. Both are engineered to defeat human recognition by removing everything a human was trained to recognise. No bad grammar, because there is barely any text, or because the text is borrowed from a real person. No urgency, because urgency invites scrutiny. No unfamiliar sender, because the sender is hidden inside a QR code or inside a thread you trust. They do not try to beat the alarm. They make sure it never rings.

That is why judging an email by how it looks has quietly become the wrong test. The whole point of a boring attack is that it looks fine.

The most dangerous email in the inbox is not the one that looks wrong. It is the one that gives you nothing to react to, because the attacker has removed every signal you were taught to watch for.

Dramatic phishing versus boring phishing

The shift is easiest to see side by side. The left column is the attack organisations trained their people to catch. The right column is the attack now landing in their inboxes.

Dramatic phishing (the old picture)Boring phishing (the current reality)
Emotional toneUrgency, fear, a threat or a prizeCalm, routine, indistinguishable from work
SenderUnknown or obviously spoofedA hijacked real thread or a trusted lookalike
TextLong, pressuring, often clumsyMinimal, or borrowed from a genuine message
The askClick now or lose accessApprove this invoice, scan this code, review this file
Obvious red flagPresent, and the training catches itRemoved by design
What catches itHuman recognitionContext, sender history, authentication, intent

The bottom row is the important one. When the attack is built to pass the human eye, the thing that catches it cannot be the human eye.

What actually catches a boring email

If the readable surface no longer separates real from fake, detection has to rest on the signals underneath it, the ones an attacker cannot smooth over by writing well or hiding inside a thread.

Sender identity and history come first. Whether the domain is authenticated, whether it was registered days ago, whether this person has ever corresponded with this recipient, and whether a reply-to address quietly differs from the display name are all far harder to fake than tone. In a hijacked thread, the tell is rarely the words: it is a sending domain that does not match the real participant, or a mailbox suddenly behaving in a way it never has. Where a link goes matters more than the words around it, and a QR code is just a link that has been made harder to read, so it deserves the same scrutiny, resolved and checked rather than trusted because the email was short. Intent matters on its own terms: a change to payment details, a request to move money, a prompt to authenticate always carries risk, no matter how ordinary the phrasing. And behaviour ties it together, because a genuine account acting out of character, or a request that breaks the established pattern between two people, is a signal no amount of polish can remove.

The connecting idea is context. Any one of these signals can be explained away in isolation. Weighed together, and measured against what is normal for this specific sender and this specific recipient, they describe whether a message deserves trust far more reliably than how it reads. This is the same logic behind business email compromise that carries no malicious payload at all: when there is no bad link and no attachment to scan, the only thing left to judge is context.

This is the level Osiris is built to work at. Rather than scoring an email on how suspicious it looks, it investigates the request behind it: is this sender who they appear to be, has this conversation behaved this way before, does this action make sense for these two people, and where does every link actually lead. A boring email survives a surface check precisely because there is no surface to fail. It does not survive a question about whether the request itself makes sense.

What to do about it

Two practical shifts follow from all this. The first is to retire recognition as the primary defence for your people. Teaching staff to spot bad grammar and dramatic urgency trains them for an attack that is disappearing and leaves them defenceless against the one that is arriving. The more durable lesson is procedural: verify a change to payment details through a second channel every time, treat any request to scan a code or authenticate as worth a pause, and trust the process over the message, even when the message sits inside a familiar thread.

The second is to stop expecting the inbox filter to catch these on appearance alone. A boring, well-formed reply inside a real thread will pass most content-based checks, because there is nothing in the content to fail. Catching it requires a layer that reads identity, history, intent and behaviour, and that can explain what it found, rather than one that waits for a message to look wrong.

Frequently asked questions

Why do phishing emails look so normal now? Because the classic warning signs, bad grammar, wild urgency and an unknown sender, were proxies for things attackers could not previously do well. Fluent writing is now free, and techniques like thread hijacking let attackers send from inside conversations you already trust. Removing the red flags is deliberate: a boring email gives you nothing to react to.

What is quishing? Quishing is phishing that hides the malicious link inside a QR code instead of a clickable link. The email is often almost empty of text, which removes anything a recipient could scrutinise, and scanning the code usually moves the victim onto a personal phone that sits outside the organisation's security controls.

What is thread hijacking, or conversation hijacking? It is when an attacker replies inside a genuine, existing email thread, using a compromised mailbox or a lookalike domain, and steers the real conversation toward a fraudulent action such as changing payment details. Because the subject, history and participants are real, every trust cue points the wrong way.

If the email looks completely normal, how can it be detected? By looking beneath the text. Sender authentication and history, the true destination of any link or QR code, the intent of the request, and whether the sending account is behaving normally are all signals an attacker cannot fix by writing well. Weighed together against what is normal for that sender and recipient, they reveal a boring attack that human recognition would miss.

Is security awareness training still worth doing? Yes, but the lesson has to change. Training people to judge an email by how it reads now trains a skill attackers have specifically neutralised. Training them to verify payment changes through a second channel, to pause on any request to scan a code or authenticate, and to trust process over message is far harder for an attacker to write around.

Key takeaways

The phishing email most likely to succeed in 2026 is not dramatic. It is calm, specific and ordinary, because attackers no longer need urgency or fear to get in. Quishing removes the visible link and moves the victim to an unmanaged phone. Thread hijacking removes the unfamiliar sender by replying inside a real conversation, and is now the leading form of business email compromise. Both work by deleting the very signals staff were trained to spot. Defending against them means moving trust decisions away from how a message looks and toward context: identity, history, intent and behaviour, weighed against what is normal.

See how Osiris reads intent, not appearance

Osiris investigates the request behind every email, sender identity, conversation history, link destinations and account behaviour, so a message that looks perfectly routine is still judged on whether it makes sense. See how Osiris approaches inbound email, or talk to us about your environment.

Sources